NIST solicits industry for voluntary security standards

Feb. 28, 2013 - 04:00PM
|

Adam Sedgewick of the National Institute of Standards and Technology. ()

ADVERTISEMENT

SAN FRANCISCO — The National Institute of Standards and Technology (NIST) is laying the groundwork for the administration’s voluntary cybersecurity program, geared toward critical infrastructure companies.

On Tuesday, NIST released a request for information asking industry about their internal cybersecurity measures, best practices for their sector, and what standards and guidelines shaped those practices.

Under the president’s cybersecurity executive order released this month, industry will create the voluntary security standards for critical infrastructure companies, with oversight from NIST. The agency will publish a draft cybersecurity framework by October that includes those standards and work with the Department of Homeland Security to publish a final version of the framework within a year.

“The [request for information] presents our initial consideration of what we think needs to be in the framework,” Adam Sedgewick, NIST’s lead on the cyber framework, said in an interview at the RSA conference. Sedgewick said the process for developing the framework will be similar to NIST’s work in collecting standards to create a security framework for the smart grid.

Companies have until April 9 to respond to the request, but Sedgewick said industry and the general public will have numerous opportunities to share their input. NIST will host a workshop at its Gaithersburg, Md., headquarters on April 3, to update industry and provide an open dialogue with companies.

Some have questioned whether government bureaucracy will bog down the process and if NIST has adequate resources and people to develop the framework. Sedgewick said NIST is up for the task, and what makes the agency effective is its ability to draw on expertise internally, across government and in the private sector.

Some “people ... think we’re going to create new standards for the private sector, but this is actually closer to a lot of what NIST’s traditional work is, which is seeing where the market is already and understanding where the gaps are, then suggesting where more work needs to be done,” he said.

To ensure industry participation in the program, the administration is also considering what incentives can be provided to companies. The Commerce Department will soon release a request to industry for information on possible incentives.